topic Re: Network Security Guidelines in Operating System - HP-UX

Network Security Guidelines

Arun Jain — Wed, 12 May 2010 06:08:10 GMT

Hi All,

I am working on some servers that are under installation (HP-UX 11.31) on Blade Servers. Post installation I had to implement network security features for preventing unauthorised access.

Please give some inputs like what all the ports/services should be disabled etc. and also provide some support document.

Thanks & Regards:
Arun Jain

Re: Network Security Guidelines

Matti_Kurkela — Wed, 12 May 2010 06:32:08 GMT

The short answer: Disable everything, then re-enable only what you need.

All standard HP-UX network services can be disabled by editing either /etc/inetd.conf or the files in /etc/rc.config.d/.

MK

Re: Network Security Guidelines

Burak Topal — Wed, 12 May 2010 06:35:12 GMT

Hi,

The document below is DISA's unix security checklist. It includes hp-ux too.

http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1-19_20090815.zip

Re: Network Security Guidelines

Prasanth V Aravind — Wed, 12 May 2010 06:39:11 GMT

Hi Arun,

Attached the standard netwok security settings which we used to do before server rollout. It seems to be helpful to you.

Gudluck
Prasanth

Re: Network Security Guidelines

Aneesh Mohan — Wed, 12 May 2010 06:49:26 GMT

Hi,

Perform the following to disable standard inetd-based services:
1. Change to the /etc directory
2. Open inetd.conf
3. Disable the following services by adding a comment character (#) to the beginning of its definition:
â ¢ echo
â ¢ discard
â ¢ daytime
â ¢ chargen
â ¢ dtspc
â ¢ exec
â ¢ ntalk
â ¢ rpc.rwalld
â ¢ rpc.sprayd
â ¢ rpc.cmsd
â ¢ kcms_server
â ¢ printer
â ¢ shell
â ¢ login
â ¢ finger
â ¢ uucp
â ¢ ident
â ¢ auth
â ¢ instl_boots
â ¢ registrar
â ¢ recserv
â ¢ rpc.rstatd
â ¢ rpc.rusersd
â ¢ bootps
â ¢ kshell
â ¢ klogin
â ¢ rpc.rquotad
â ¢ rpc.ttdbserver
4. Save inetd.conf.
5. Set root as the owner of inetd.conf.
6. Set sys as the group owner of inetd.conf.
7. Restrict write access to inetd.conf to the file owner.
8. Remove the executable and sticky bit from inetd.conf.
9. Invoke inetd to reread itâ s config file: inetd -c

Regards,
Aneesh

Re: Network Security Guidelines

Aneesh Mohan — Wed, 12 May 2010 06:58:01 GMT

Disable login prompts on serial ports:-
=======================================

If there is not a mission-critical need to provide login capability from any serial ports (such as for a modem) then disabling the login: prompt on the system serial devices reduces the risk of unauthorised access via these ports.
Note that this action may safely be performed even if console access to the system is provided via the serial ports, as the line in the /etc/inittab file that corresponds to the console does not match the supplied pattern (i.e., it doesnâ t contain the string â ttyâ ).

Perform the following to disable the login: prompt on the system serial devices:
1. Open /etc/inittab.
2. Disable each getty instance associated with a tty device by adding a comment character (#) to the beginning of the line.
3. Save /etc/inittab.*

Re: Network Security Guidelines

Aneesh Mohan — Wed, 12 May 2010 06:59:27 GMT

Disable NIS/NIS+ related process if possible
=====================================

Disable NIS/NIS+ related processes.
Network Information Service (NIS) is a distributed database providing centralised control of names, addresses, services, and key configuration files throughout a network of servers and clients. NIS was formerly known as Yellow Pages (YP).
NIS+ is a replacement for NIS services, and is more scalable, flexible, and secure. It adds a security system with authentication and authorization services to validate users on the network and to determine if they allowed to access or modify the information requested.
However, both systems have known security vulnerabilities, and have been an entry point for security attacks.

Eliminate exposure to NIS/NIS+ vulnerabilities by not running related daemons on hosts that are not NIS/NIS+ servers or clients.

Perform the following to disable the startup of NIS/NIS+ related processes:
ch_rc -a -p NIS_MASTER_SERVER=0 -p NIS_SLAVE_SERVER=0 \
-p NIS_CLIENT=0 -p NISPLUS_SERVER=0 \
-p NISPLUS_CLIENT=0 /etc/rc.config.d/namesvrs

Aneesh

Re: Network Security Guidelines

Aneesh Mohan — Wed, 12 May 2010 07:00:46 GMT

Disable the CDE GUI login, if possible
=======================================

CDE stands for "Common Desktop Environment," and is an environment for logging on to and interacting with your system via an X-windows type GUI interface from the console. Intended for use with workstation or desktop systems, this service is not commonly used with the server-class systems or in large enterprise environments.

The X Windows-based CDE GUI on HP-UX systems has had a history of security issues, and should be disabled if unused.

Perform the following to disable the GUI login:
ch_rc -a -p DESKTOP="" /etc/rc.config.d/desktop

Aneesh

Re: Network Security Guidelines

Aneesh Mohan — Wed, 12 May 2010 07:01:37 GMT

Disable email server, if possible
==================================

Disable the sendmail daemon to avoid processing incoming email.
It is possible to run a Unix system with the Sendmail daemon disabled and still allow users on that system to send email out from that machine. Running Sendmail in "daemon mode"
(with the -bd command-line option) is only required on machines that act as mail servers, receiving and processing email from other hosts on the network. The remediation will result in a machine that can send email but not receive it.

Avoid potential vulnerabilities in the sendmail server if incoming email service is not used.

Perform the following to disable the sendmail server:
1. Set the SENDMAIL_SERVER parameter to zero in the mailservs system configuration file.
2. Setup a cron job to run sendmail at regular intervals (e.g. every hour) in order to process queued, outgoing mail.
The following script will perform the above procedure:
ch_rc -a -p SENDMAIL_SERVER=0 /etc/rc.config.d/mailservs
cd /var/spool/cron/crontabs
crontab -l >root.tmp
echo '0 * * * * /usr/lib/sendmail -q' >>root.tmp
crontab root.tmp
rm -f root.tmp

Aneesh

Re: Network Security Guidelines

Aneesh Mohan — Wed, 12 May 2010 07:02:44 GMT

Disable SNMP and OpenView Agents, if remote management or monitoring is not needed.
=====================================

If SNMP and OpenView agents are not needed, avoid potential security vulnerabilities in these programs by disabling them.

Perform the following to disable the SNMP and OpenView Agents:
cd /sbin/rc2.d
mv -f S570SnmpFddi .NOS570SnmpFddi

ch_rc -a -p SNMP_HPUNIX_START=0 \
/etc/rc.config.d/SnmpHpunix
ch_rc -a -p SNMP_MASTER_START=0 \
/etc/rc.config.d/SnmpMaster
ch_rc -a -p SNMP_MIB2_START=0 \
/etc/rc.config.d/SnmpMib2
ch_rc -a -p SNMP_TRAPDEST_START=0 \
/etc/rc.config.d/SnmpTrpDst
ch_rc â a â p OSPFMIB=0 \
/etc/rc.config.d/netdaemons
ch_rc â a â p OPCAGT=0 \
/etc/rc.config.d/opcagt

Aneesh

Re: Network Security Guidelines

Aneesh Mohan — Wed, 12 May 2010 07:03:36 GMT

Network parameter modifications
===============================

Network parameter default values should align with current best practices unless there is a specific need to use other values.

Perform the following to update the default network parameter values:
1. Change to the /etc/rc.config.d directory
2. Open nddconf and review the comment lines on how to use the configuration file
3. Set each of the following network parameters to the recommended value. If a parameter does not have an entry in nddconf then add a new entry to the end of the file while properly incrementing the parameter index:
TRANSPORT_NAME, NDD_NAME, NDD_VALUE
tcp tcp_syn_rcvd_max 4096
arp arp_cleanup_interval 60000
ip ip_forward_src_routed 0
ip ip_forward_directed_broadcasts 0
ip ip_respond_to_timestamp 0
ip ip_respond_to_timestamp_broadcast 0
ip ip_respond_to_address_mask_broadcast 0
ip ip_respond_to_echo_broadcast 0
4. Save nddconf.

If creating this file for the first time:
1. Set root as the owner of nddconf.
2. Set sys as the group owner of nddconf.
3. Restrict write access to nddconf to the file owner.
4. Remove the executable and sticky bit from nddconf.

Aneesh

Re: Network Security Guidelines

Aneesh Mohan — Wed, 12 May 2010 07:05:15 GMT

Additional network parameter modifications
=========================================
Configure networking to NOT forward TCP/IP packets between multiple networks, even if the machine has multiple network adapters connected to multiple networks.

System is not going to be used as a firewall or gateway to pass network traffic between different networks.

1. Change to the /etc/rc.config.d directory
2. Open nddconf and review the comment lines on how to use the configuration file
3. Set each of the following network parameters to the recommended value. If a parameter does not have an entry in nddconf then add a new entry to the end of the file while properly incrementing the parameter index:
TRANSPORT_NAME NDD_NAME NDD_VALUE
ip ip_forwarding 0
ip ip_send_redirects 0
4. Save nddconf.
If creating this file for the first time:
5. Set root as the owner of nddconf.
6. Set sys as the group owner of nddconf.
7. Restrict write access to nddconf to the file owner.
8. Remove the executable and sticky bit from nddconf

Aneesh

Re: Network Security Guidelines

Arun Jain — Wed, 12 May 2010 07:13:30 GMT

Hi burak,

Your link is not working. If possible, please attach it directly to the thread...

Regards
Arun

Re: Network Security Guidelines

Burak Topal — Wed, 12 May 2010 07:45:28 GMT

Sorry, the doc is a little greater than the allowed size(1.12mb), but you can find under

http://iase.disa.mil/stigs/checklist/

with the name

UNIX Security Checklist Version 5, Release 1.24 - Updated! posted Apr 20, 2010

Regards,

Re: Network Security Guidelines

Fred K. Abell Jr._1 — Wed, 26 May 2010 13:22:00 GMT

Bastille is a good start. It will take care of most of the low hanging fruit. CIS benchmarks are also good http://cisecurity.org/en-us/?route=default. For more advanced help, go to the SANS.org reading room http://www.sans.org/reading_room/ and search 'securing hp-ux'. A lot of what you have to do depends on how you are going to use the box. A workstation in a lab is going to be done differently than a web server.

Fred